HP ProCurve 9304M Security Manual page 76

Security Guide for ProCurve 9300/9400 Series Routing Switches
• SCP/SFTP/SSH URI Format
NOTE: The CLI commands for setting up and configuring SSHv2 on an HP device are identical to those for
SSHv1.
If you are using redundant management modules, you can synchronize the RSA host key pair between the active
and standby modules by entering the sync-standby code command at the Privileged EXEC level of the CLI.
When you subsequently enter the write memory command, the RSA host key pair is synchronized to the standby
module.
HP's SSHv2 implementation is compatible with all versions of the SSHv2 protocol (2.1, 2.2, and so on). At the
beginning of an SSH session, the HP device negotiates the version of SSHv2 to be used. The highest version of
SSHv2 supported by both the HP device and the client is the version that is used for the session. Once the
SSHv2 version is negotiated, the encryption algorithm with the highest security ranking is selected to be used for
the session.
Tested SSHv2 Clients
The following SSH clients have been tested with SSHv2:
• SSH Secure Shell 3.2.3
• V an Dyke SecureCRT 4.0
• F-Secure SSH Client 5.3
• Tera Term Pro 3.1.3
• PuTTY 0.54
• OpenSSH 3.5_p1
Supported Encryption Algorithms for SSHv2
The following encryption algorithms are supported with HP implementation of SSHv2:
• AES
• T wofish
• Blowfish
• 3 DES
• Arcfour(RC4)
• CAST
• None selected
Supported MAC (Message Authentication Code) Algorithms
The following MAC algorithms are supported with HP implementation of SSHv2:
• M D5
• S HA
• None selected
Configuring SSH
HP's implementation of SSH supports two kinds of user authentication:
• RSA challenge-response authentication, where a collection of public keys are stored on the device. Only
clients with a private key that corresponds to one of the stored public keys can gain access to the device using
SSH.
• Password authentication, where users attempting to gain access to the device using an SSH client are
3 - 2 June 2005